☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Rare Program to Rare IP

The Rare Program to Rare IP Detector looks for a combination of a rare program hashes executed and traffic with rare destination IP addresses on a single host within the same time period.

Rare Program to IP

Rare Program and Rare IP Alert

If there is a correlation—that is, the process id and process time window of the process and destination IP address match—between the destination IP and the rare program for the same host, an alert is sent to the Secureworks® Taegis™ XDR Alert Database and Dashboard. The recommended action for an alert is to pivot on the host or source IP address listed in the alert and to look into the user that executed the process listed in the alert.

Rare is defined as unique within the entire XDR data lake within a period of 60 days. Rare doesn’t necessarily mean the program is malicious. Adversaries might craft a weaponized valid program or even deploy outdated and vulnerable programs to exploit these. At the same time, unsuccessful patch management might also leave outdated programs behind that this detector potentially could surface. Therefore the detection helps increase visibility to potential entry vectors for adversaries.

Schema ⫘

Netflow, Process

Outputs ⫘

Rare Program to IP alerts pushed to the XDR Alert Database and XDR Dashboard.

MITRE ATT&CK Category ⫘

The Rare Program to Rare IP Detector has no MITRE Mapping.

Detector Requirements ⫘

Netflow, Process

On this page:

Schema
Outputs
MITRE ATT&CK Category
Detector Requirements